diff options
author | Damien Miller <djm@cvs.openbsd.org> | 2014-04-21 22:15:38 +0000 |
---|---|---|
committer | Damien Miller <djm@cvs.openbsd.org> | 2014-04-21 22:15:38 +0000 |
commit | e9cbdcece947a3076562ddbb8984f315a6cb6aac (patch) | |
tree | 68a5af0ba445714262c2552f1564dd8effb1fdbf /regress/usr.bin/ssh | |
parent | efa18eb98aea7fe0e0cd74af0a4854140349c341 (diff) |
repair regress tests broken by server-side default cipher/kex/mac changes
by ensuring that the option under test is included in the server's
algorithm list
Diffstat (limited to 'regress/usr.bin/ssh')
-rw-r--r-- | regress/usr.bin/ssh/dhgex.sh | 6 | ||||
-rw-r--r-- | regress/usr.bin/ssh/integrity.sh | 7 | ||||
-rw-r--r-- | regress/usr.bin/ssh/kextype.sh | 7 | ||||
-rw-r--r-- | regress/usr.bin/ssh/rekey.sh | 20 | ||||
-rw-r--r-- | regress/usr.bin/ssh/try-ciphers.sh | 7 |
5 files changed, 37 insertions, 10 deletions
diff --git a/regress/usr.bin/ssh/dhgex.sh b/regress/usr.bin/ssh/dhgex.sh index 4c1a3d83cec..57fca4a32e9 100644 --- a/regress/usr.bin/ssh/dhgex.sh +++ b/regress/usr.bin/ssh/dhgex.sh @@ -1,10 +1,11 @@ -# $OpenBSD: dhgex.sh,v 1.1 2014/01/25 04:35:32 dtucker Exp $ +# $OpenBSD: dhgex.sh,v 1.2 2014/04/21 22:15:37 djm Exp $ # Placed in the Public Domain. tid="dhgex" LOG=${TEST_SSH_LOGFILE} rm -f ${LOG} +cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak kexs=`${SSH} -Q kex | grep diffie-hellman-group-exchange` @@ -14,6 +15,9 @@ ssh_test_dhgex() cipher="$1"; shift kex="$1"; shift + cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy + echo "KexAlgorithms=$kex" >> $OBJ/sshd_proxy + echo "Ciphers=$cipher" >> $OBJ/sshd_proxy rm -f ${LOG} opts="-oKexAlgorithms=$kex -oCiphers=$cipher" groupsz="1024<$bits<8192" diff --git a/regress/usr.bin/ssh/integrity.sh b/regress/usr.bin/ssh/integrity.sh index 32be98fad15..2625edc64d6 100644 --- a/regress/usr.bin/ssh/integrity.sh +++ b/regress/usr.bin/ssh/integrity.sh @@ -1,7 +1,8 @@ -# $OpenBSD: integrity.sh,v 1.12 2013/11/21 03:18:51 djm Exp $ +# $OpenBSD: integrity.sh,v 1.13 2014/04/21 22:15:37 djm Exp $ # Placed in the Public Domain. tid="integrity" +cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak # start at byte 2900 (i.e. after kex) and corrupt at different offsets # XXX the test hangs if we modify the low bytes of the packet length @@ -28,11 +29,15 @@ for m in $macs; do # avoid modifying the high bytes of the length continue fi + cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy # modify output from sshd at offset $off pxy="proxycommand=$cmd | $OBJ/modpipe -wm xor:$off:1" if ssh -Q cipher-auth | grep "^${m}\$" >/dev/null 2>&1 ; then + echo "Ciphers=$m" >> $OBJ/sshd_proxy macopt="-c $m" else + echo "Ciphers=aes128-ctr" >> $OBJ/sshd_proxy + echo "MACs=$m" >> $OBJ/sshd_proxy macopt="-m $m -c aes128-ctr" fi verbose "test $tid: $m @$off" diff --git a/regress/usr.bin/ssh/kextype.sh b/regress/usr.bin/ssh/kextype.sh index 8c2ac09d66d..6f952f4e4ac 100644 --- a/regress/usr.bin/ssh/kextype.sh +++ b/regress/usr.bin/ssh/kextype.sh @@ -1,4 +1,4 @@ -# $OpenBSD: kextype.sh,v 1.4 2013/11/07 04:26:56 dtucker Exp $ +# $OpenBSD: kextype.sh,v 1.5 2014/04/21 22:15:37 djm Exp $ # Placed in the Public Domain. tid="login with different key exchange algorithms" @@ -7,6 +7,11 @@ TIME=/usr/bin/time cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak +# Make server accept all key exchanges. +ALLKEX=`ssh -Q kex` +KEXOPT=`echo $ALLKEX | tr ' ' ,` +echo "KexAlgorithms=$KEXOPT" >> $OBJ/sshd_proxy + tries="1 2 3 4" for k in `${SSH} -Q kex`; do verbose "kex $k" diff --git a/regress/usr.bin/ssh/rekey.sh b/regress/usr.bin/ssh/rekey.sh index cf9401ea014..fd452b03451 100644 --- a/regress/usr.bin/ssh/rekey.sh +++ b/regress/usr.bin/ssh/rekey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: rekey.sh,v 1.14 2013/11/21 03:18:51 djm Exp $ +# $OpenBSD: rekey.sh,v 1.15 2014/04/21 22:15:37 djm Exp $ # Placed in the Public Domain. tid="rekey" @@ -6,14 +6,22 @@ tid="rekey" LOG=${TEST_SSH_LOGFILE} rm -f ${LOG} +cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak # Test rekeying based on data volume only. # Arguments will be passed to ssh. ssh_data_rekeying() { + _kexopt=$1 ; shift + _opts="$@" + if ! test -z "$_kexopts" ; then + cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy + echo "$_kexopt" >> $OBJ/sshd_proxy + _opts="$_opts -o$_kexopt" + fi rm -f ${COPY} ${LOG} - ${SSH} <${DATA} -oCompression=no $@ -v -F $OBJ/ssh_proxy somehost \ - "cat > ${COPY}" + _opts="$_opts -oCompression=no" + ${SSH} <${DATA} $_opts -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}" if [ $? -ne 0 ]; then fail "ssh failed ($@)" fi @@ -41,7 +49,7 @@ done for opt in $opts; do verbose "client rekey $opt" - ssh_data_rekeying -oRekeyLimit=256k -o$opt + ssh_data_rekeying "$opt" -oRekeyLimit=256k done # AEAD ciphers are magical so test with all KexAlgorithms @@ -49,14 +57,14 @@ if ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then for c in `${SSH} -Q cipher-auth`; do for kex in `${SSH} -Q kex`; do verbose "client rekey $c $kex" - ssh_data_rekeying -oRekeyLimit=256k -oCiphers=$c -oKexAlgorithms=$kex + ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c done done fi for s in 16 1k 128k 256k; do verbose "client rekeylimit ${s}" - ssh_data_rekeying -oCompression=no -oRekeyLimit=$s + ssh_data_rekeying "" -oCompression=no -oRekeyLimit=$s done for s in 5 10; do diff --git a/regress/usr.bin/ssh/try-ciphers.sh b/regress/usr.bin/ssh/try-ciphers.sh index ac34cedbf91..2881ce16c13 100644 --- a/regress/usr.bin/ssh/try-ciphers.sh +++ b/regress/usr.bin/ssh/try-ciphers.sh @@ -1,13 +1,18 @@ -# $OpenBSD: try-ciphers.sh,v 1.22 2013/11/21 03:18:51 djm Exp $ +# $OpenBSD: try-ciphers.sh,v 1.23 2014/04/21 22:15:37 djm Exp $ # Placed in the Public Domain. tid="try ciphers" +cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak + for c in `${SSH} -Q cipher`; do n=0 for m in `${SSH} -Q mac`; do trace "proto 2 cipher $c mac $m" verbose "test $tid: proto 2 cipher $c mac $m" + cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy + echo "Ciphers=$c" >> $OBJ/sshd_proxy + echo "MACs=$m" >> $OBJ/sshd_proxy ${SSH} -F $OBJ/ssh_proxy -2 -m $m -c $c somehost true if [ $? -ne 0 ]; then fail "ssh -2 failed with mac $m cipher $c" |